On 2025-03-05 11:33, Henk Birkholz wrote:
Hi Anders,
I am not sure if I should get involved in this conversation,
Henk, I don't bite :)
> but you wrote something that I would like you to elaborate about,
specifically:>
wrapping data-to-be signed in "bstr" destroys the structure of messages.
I am not following.
You seem to be in very good company...
From https://datatracker.ietf.org/doc/html/rfc8392#appendix-A.3 we take an
example of a CBOR Web Token (CWT):
Using COSE
==========
18([h'a10126', {
4: h'4173796d6d65747269634543445341323536'
}, h'a70175636f61703a2f2f...10d9f0061a5610d9f007420b71',
h'5427c1ff28d23fba...c57209120e1c9e30'])
Using Enveloped Signature based on Universal CBOR
=================================================
18({
1: "coap://as.example.com",
2: "erikw",
3: "coap://light.example.com",
4: 1444064944,
5: 1443944944,
6: 1443944944,
7: h'0b71',
# Signature container
-1: {
# alg = ES256
1: -7,
# kid
3: h'4173796d6d65747269634543445341323536',
# signature value which encompasses ALL data including the top level TAG
6: h'ffb944aef83cac4fcfa...2cc25cda922e5e54965f6c9626bad59'
}
})
In a not yet released version of Universal CBOR there is a complete code example
https://cyberphone.github.io/doc/research/draft-rundgren-universal-cbor.html#name-code-example
that without any libraries performs this kind of signature & validation.
No 🚀 science. In case you want more, this is where things become almost
interesting:
https://cyberphone.github.io/doc/defensive-publications/partial-encryption-full-signature.pdf
Regards,
Anders
Viele Grüße,
Henk
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
